On this page: |
| Summary: CAST AIP 8.3.3 introduces a number of features and changes as listed below. |
Please see Technology coverage changes in CAST AIP 8.3.x for more detailed discussion of this subject.
Continuing with the dashboard re-naming modifications made in CAST AIP 8.3.2 (see Changes or new features - 8.3.2), the WAR files have now been renamed as follows:
| Previous name | New name |
|---|---|
| CAST-AAD.war | CAST-Health.war |
| CAST-AED.war | CAST-Engineering.war |
| CAST-AAD-AED.war | CAST-Health-Engineering.war |
Please ensure that you take note of this and modify any WAR deployment routines you may have. See also:
The following CAST AIP web applications now support user authentication over SAML:
Windows Server 2016 is now supported for use with CAST AIP, CAST Delivery Manager Tool and CAST dashboards. Please see Supported Platforms for more information.
Windows Server 2016 is only supported by CAST when installed in Desktop Experience mode(i.e. with a GUI). |
The CAST Update Tool (CUT.exe) and its command line counterpart (CUT-CLI.exe) have been removed from the CAST AIP setup and are no longer installed. All upgrade actions are to be performed with CAST Server Manager or the upgrade batch file.
The CastGlobalSettings.ini file has been cleaned up to remove references to an obsolete environment variable "%ALLUSERSPROFILE%\Application Data\". This has been replaced with the variable "%PROGRAMDATA%". There is no impact to end users.
The colour used for the Risk Model view and tile has changed from red to yellow:
The Critical Violation toggle icon has been redesigned - there is no change to the behaviour of this toggle icon. See Engineering Dashboard for more information.
Improvements have been made to the Change Language option:
See:
| Note only English (en_US) and Chinese (zh_CN) are supported locales. All other locales that are added will not be displayed. |
The columns displayed when drilling down from Health Measure tiles, Top Critical Rules, Technologies Overview tiles have been redesigned:
It is now also possible to force the "% Compliance" column to display "% Failed". See HD - Dashboard wide configuration options in json in the app-navigation.json section.
The top user menu now has an additional drop down menu item called "Change Language". This allows a user to change the language of the text items in the dashboard, providing an administrator has configured the language:
See:
| Note only English (en_US) and Chinese (zh_CN) are supported locales. All other locales that are added will not be displayed. |
Improvements to the User Input Security feature have been added in this release.
A new extension called Security for Java is available for download and installation - this extension automatically generates JEE specific bytecode (also known as "CASTIL") for the User Input Security feature. It provides more accurate results than the bytecode that was previously generated by the analyzer and CAST highly recommends that this extension is used if you are intending to perform User Input Security checks as part of your source code analysis.
The User Input Security feature will now automatically generate blackbox methods on the fly during the analysis process for all methods which do not have a body, i.e. all code that is deemed to be "external" to the application boundary. This includes the majority of assemblies for which no source code can be found (framework assemblies, third-party JARs/assemblies, internal frameworks without source code etc.). It is still possible to manually create blackbox methods if necessary.
The following CWE are now supported:
A new option called PurgeVersion has been added to enable you to automate the deletion of a Version who's extracted source code has already been deleted, i.e. the version is present in the "Delivery without source code" section of the CAST Management Studio GUI. See Automating CAST Management Studio tasks for more information.
The CAST Delivery Manager Tool now has a new tab called Package Alerts that is present for some package types:
Click to enlarge
This tab contained three panels:
See also How do I fine-tune my Version in Onboarding an Application in CAST AIP.
Architecture Checker can report violations between two Layers even when objects inside the targeted Layer not only are external, but also belong to a module external to the Application being checked. The only constraint is that the objects inside the Layer from which the Dependency towards the targeted Layer is issued, must belong to a module internal to the Application. For example, it is possible to check for links which reach objects belonging to a .NET assembly outside of the Application boundary, provided these links start from objects in a module which is internal to the Application (even though these latter objects can be external).
The CAST Architecture Checker now has a CLI mode that can be used to run a check model action (equivalent to the same action in the GUI). See Automating CAST Architecture Checker tasks for more information.
To avoid having empty transactions, if a transaction has non-contributing End Points then their DET value is considered as a contribution to the transaction. In previous releases of CAST AIP some of these End Points had a DET value of 0 , and as a consequence these transactions were considered as empty.
To avoid this situation, starting from CAST AIP 8.3.3, where transactions ONLY have non-contributing End Points, the minimum DET of the transaction is set to 1. The impact of this is that after upgrade to CAST AIP 8.3.3, some of the transactions which were empty before may now become valid. This can happen with the predefined list of End Points delivered in CAST AIP, when the following End Points are reached and they are the only one reached by the transaction:
Click to enlarge
Two previously undocumented CAST System Views (CSV) for the Dashboard Service schema have now been documented. Please see CAST System Views - Dashboard Service for more information:
In addition, both CAST System Views listed above contained column names that had typographical errors. These typographical errors have been fixed by adding new columns spelt correctly. The existing column names containing the spelling errors will remain and are now deprecated, therefore, please update any scripts or queries that use the existing column names: